From 456f9aa151389f19b6babbeef23019aff14fc3eb Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Tue, 23 Nov 2021 13:47:09 +0100
Subject: [PATCH] turn off MD5 Digest authentication by default, because MD5 is
 marked insecure

---
 ...t.c-Apply-DigestOptions-to-RFC-2069-.patch | 36 +++++++++++++++++++
 cups.spec                                     | 30 +++++++++++++++-
 2 files changed, 65 insertions(+), 1 deletion(-)
 create mode 100644 0001-cups-http-support.c-Apply-DigestOptions-to-RFC-2069-.patch

diff --git a/0001-cups-http-support.c-Apply-DigestOptions-to-RFC-2069-.patch b/0001-cups-http-support.c-Apply-DigestOptions-to-RFC-2069-.patch
new file mode 100644
index 0000000..db4f46d
--- /dev/null
+++ b/0001-cups-http-support.c-Apply-DigestOptions-to-RFC-2069-.patch
@@ -0,0 +1,36 @@
+From 887041aaa3f61b87c55b2a746a8813be3d584034 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Fri, 19 Nov 2021 12:23:08 +0100
+Subject: [PATCH] cups/http-support.c: Apply DigestOptions to RFC 2069 support
+
+Earlier we applied DigestOptions only for devices which implement RFC
+2617 or RFC 7616, this commit applies it even for RFC 2069 support.
+
+This issue came up during CentOS Stream/RHEL 9 development, where MD5
+digest is marked as insecure for authentication/authorization, so it
+should be turned off in default configurations to prevent security
+issues.
+---
+ cups/http-support.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/cups/http-support.c b/cups/http-support.c
+index 209235ee6..3d1208789 100644
+--- a/cups/http-support.c
++++ b/cups/http-support.c
+@@ -1430,6 +1430,12 @@ _httpSetDigestAuthString(
+     * Use old RFC 2069 Digest method...
+     */
+ 
++    if (cg->digestoptions == _CUPS_DIGESTOPTIONS_DENYMD5)
++    {
++      DEBUG_puts("3_httpSetDigestAuthString: MD5 Digest is disabled.");
++      return (0);
++    }
++
+     /* H(A1) = H(username:realm:password) */
+     snprintf(temp, sizeof(temp), "%s:%s:%s", username, http->realm, password);
+     hashsize = (size_t)cupsHashData("md5", (unsigned char *)temp, strlen(temp), hash, sizeof(hash));
+-- 
+2.31.1
+
diff --git a/cups.spec b/cups.spec
index 23a3ce2..673fb8f 100644
--- a/cups.spec
+++ b/cups.spec
@@ -17,7 +17,7 @@ Summary: CUPS printing system
 Name: cups
 Epoch: 1
 Version: 2.3.3%{OP_VER}
-Release: 10%{?dist}
+Release: 11%{?dist}
 License: ASL 2.0
 Url: https://openprinting.github.io/cups/
 # Apple stopped uploading the new versions into github, use OpenPrinting fork
@@ -97,6 +97,8 @@ Patch23: 0001-cups-md5passwd.c-Stub-out-httpMD5-functions.patch
 Patch24: cups-deprecate-drivers.patch
 # 2022610 - compile with -fstack-protector-strong if available
 Patch25: cups-fstack-strong.patch
+# Applying DigestOptions to MD5 Digest authentication defined by RFC 2069
+Patch26: 0001-cups-http-support.c-Apply-DigestOptions-to-RFC-2069-.patch
 
 ##### Patches removed because IMHO they aren't no longer needed
 ##### but still I'll leave them in git in case their removal
@@ -322,6 +324,8 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
 %patch24 -p1 -b .deprecated-drivers
 # 2022610 - compile with fstack-protector-strong if available
 %patch25 -p1 -b .fstack-strong
+# apply DigestOptions for MD5 Digest authentication defined by RFC 2069
+%patch26 -p1 -b .no-digest-rfc2069
 
 
 %if %{lspp}
@@ -420,6 +424,18 @@ touch %{buildroot}%{_sysconfdir}/cups/client.conf
 touch %{buildroot}%{_sysconfdir}/cups/subscriptions.conf
 touch %{buildroot}%{_sysconfdir}/cups/lpoptions
 
+# deny MD5 digest authentication by default in client.conf
+cat > %{buildroot}%{_sysconfdir}/cups/client.conf <<EOF
+# MD5 Digest authentication is turned off by default
+# because MD5 is marked as insecure for authentication.
+#
+# If you need MD5 Digest authentication and you are aware of
+# potential security risk, turn MD5 Digest authentication on
+# by changing the directive value to 'None'.
+
+DigestOptions DenyMD5
+EOF
+
 # LSB 3.2 printer driver directory
 mkdir -p %{buildroot}%{_datadir}/ppd
 
@@ -464,6 +480,15 @@ s:.*\('%{_datadir}'/\)\([^/_]\+\)\(.*\.po$\):%lang(\2) \1\2\3:
 %post
 %systemd_post %{name}.path %{name}.socket %{name}.service
 
+# remove this after F36 is EOL
+# - previously the file was empty by default, so check whether the directive exists
+#   and if not, add the directive+value
+# - we don't check for directive value in case some users already know they need MD5
+#   Digest authentication, so we won't break their setup with every update
+# - ^\s* prevents matching comments and ignores whitespaces at the beginning
+grep '^\s*DigestOptions' %{_sysconfdir}/cups/client.conf &> /dev/null || echo 'DigestOptions DenyMD5' \
+>> %{_sysconfdir}/cups/client.conf
+
 %post client
 %if %{use_alternatives}
 /usr/sbin/alternatives --install %{_bindir}/lpr print %{_bindir}/lpr.cups 40 \
@@ -673,6 +698,9 @@ rm -f %{cups_serverbin}/backend/smb
 %{_mandir}/man7/ippeveps.7.gz
 
 %changelog
+* Mon Nov 22 2021 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-11
+- turn off MD5 Digest authentication by default, because MD5 is marked insecure
+
 * Fri Nov 12 2021 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-10
 - 2022610 - fix compilation issues reported by annocheck
 - 2019845 - Add more warning messages about driver going deprecated (completed)